Pchelolo/gist:1162132e1f43dc48be72a2e39a8eafe6

## gistfile1.txt
--- envoy.yaml
                  # Generate two rate limiting descriptors if we can:

                  # - {value: ("user_class_per_ip", "<class>")
                  #
                  rate_limits:
                    # If JWT is present in the request, is valid and contains ratelimit override,
                    # this will generate the following descriptor:
                    # - {value: ("user_class","<class>"), override:(value:1000,unit:MINUTE)}
                    # The ratelimit override will be applied by the service.
                    # If JWT is present, is valid, but does not have the override, descriptor
                    # will be generated, but will be ignored as it's not configured in the service
                    # If JWT is absent/invalid, no descriptor is generated.
                    - stage: 0
                      actions:
                        - dynamic_metadata:
                            descriptor_key: user_class
                            metadata_key:
                              key: envoy.filters.http.jwt_authn
                              path:
                                - key: jwt_payload
                                - key: cid
                        # - remote_address: {} Uncommenting this will make the rate apply per-client-per-ip
                      limit:
                        dynamic_metadata:
                          metadata_key:
                            key: envoy.filters.http.jwt_authn
                            path:
                              - key: jwt_payload
                              - key: ratelimit
                    # In case JWT is present/valid, this will emit the following descriptor:
                    # - {value: ("user_class_anon_fallback","<class>")("remote_address","123.123.123.123)}
                    # which will be ignored by the service, since we only match on "anon" class
                    # In case JWT is absent/invalid, <class> would fallback to "anon", and the statically
                    # configured in the ratelimit service limit will kick in.
                    - stage: 0
                      actions:
                        - dynamic_metadata:
                            descriptor_key: user_class_anon_fallback
                            default: 'anon'
                            metadata_key:
                              key: envoy.filters.http.jwt_authn
                              path:
                                - key: jwt_payload
                                - key: cid
                        - remote_address: {}

--- ratelimit.yaml
domain: wikipedia
descriptors:
  - key: user_class_anon_fallback
    value: anon
    descriptors:
      - key: remote_address
        rate_limit:
          requests_per_unit: <PUT YOUR VALUE HERE>
          unit: minute
	--- envoy.yaml
	# Generate two rate limiting descriptors if we can:

	# - {value: ("user_class_per_ip", "<class>")
	#
	rate_limits:
	# If JWT is present in the request, is valid and contains ratelimit override,
	# this will generate the following descriptor:
	# - {value: ("user_class","<class>"), override:(value:1000,unit:MINUTE)}
	# The ratelimit override will be applied by the service.
	# If JWT is present, is valid, but does not have the override, descriptor
	# will be generated, but will be ignored as it's not configured in the service
	# If JWT is absent/invalid, no descriptor is generated.
	- stage: 0
	actions:
	- dynamic_metadata:
	descriptor_key: user_class
	metadata_key:
	key: envoy.filters.http.jwt_authn
	path:
	- key: jwt_payload
	- key: cid
	# - remote_address: {} Uncommenting this will make the rate apply per-client-per-ip
	limit:
	dynamic_metadata:
	metadata_key:
	key: envoy.filters.http.jwt_authn
	path:
	- key: jwt_payload
	- key: ratelimit
	# In case JWT is present/valid, this will emit the following descriptor:
	# - {value: ("user_class_anon_fallback","<class>")("remote_address","123.123.123.123)}
	# which will be ignored by the service, since we only match on "anon" class
	# In case JWT is absent/invalid, <class> would fallback to "anon", and the statically
	# configured in the ratelimit service limit will kick in.
	- stage: 0
	actions:
	- dynamic_metadata:
	descriptor_key: user_class_anon_fallback
	default: 'anon'
	metadata_key:
	key: envoy.filters.http.jwt_authn
	path:
	- key: jwt_payload
	- key: cid
	- remote_address: {}

	--- ratelimit.yaml
	domain: wikipedia
	descriptors:
	- key: user_class_anon_fallback
	value: anon
	descriptors:
	- key: remote_address
	rate_limit:
	requests_per_unit: <PUT YOUR VALUE HERE>
	unit: minute